Client software would be sufficient. If the users are sensitive to "extra steps to connect" you may want to consider something like a PIX 501 feeding the bridge and acting as the remote VPN endpoint.
LEAP has been compromised in some way in recent history but I haven't read the reports, and I do not know if it's a genuine issue. You may want to search around and see for yourself.
Good Luck
Scott